Kunzisoft / KeePassDX

Lightweight vault and password manager for Android, KeePassDX allows editing encrypted data in a single file in KeePass format and fill in the forms in a secure way.
https://www.keepassdx.com/
GNU General Public License v3.0
4.7k stars 276 forks source link

biometric + pin unlock #687

Open AykutCevik opened 4 years ago

AykutCevik commented 4 years ago

First of all, thank you for this great app!

I'm currently using a long password to unlock my key-store. Of course it would be comfortable to use a fingerprint or any other biometric method but I'm feeling that this may be too insecure.

Feature request: Is it possible to combine a biometric method with a numeric pin which is set within the app? Therefore not only my fingerprint will be used but also a numeric pin code to unlock the store. With this method in combination I would save a lot of time while unlocking the store but would still have a higher level of security.

Thanks for consideration!

J-Jamet commented 3 years ago

What you ask is normally already the case, because when you unlock a database with the fingerprint, it can only work if the phone is secure (i.e. an unlocking method is active with a password / pin / pattern). If not, you simply cannot use the biometric unlock.

It would be possible to set an invalidation time that asks the user to fill in his device credential again but this would be in my opinion anecdotal and would require a lot of development time whereas it is enough to use the good practice of putting your phone to sleep when you have finished using it.

AykutCevik commented 3 years ago

@J-Jamet, sorry for the late response. I just tried what you have explained to double-check my request. What I meant is a separate PIN code. Imagine the scenario where you give access to your device PIN to your family members. So the device is in your manner secure but still people have access to it for certain reasons. Other scenario is that with biometric unlock your device can be forced to be opened without your consent by pressing your finger on the sensor. On this device you have also a KeePass database with a strong password just for you. So if I setup the biometric unlock for the database it will be opened in both scenarious. For this, I would like to enter a few digits to add another security layer.

J-Jamet commented 3 years ago

Imagine the scenario where you give access to your device PIN to your family members

If I imagine this scenario, it's being an obvious user security flaw, not a technical flaw. In the best case, you have to create a new profile on your phone if you want to lend it.

I can give you hundreds of similar scenarios, but one easier user security flaw:

You just need to be careful that a third party user does not have access to your credentials. A password manager is not magic if there are breaches at the user level.

AykutCevik commented 3 years ago

Hello @J-Jamet, I share your thoughts and it is not a security flaw for the app itself but this was also not my point in this request - you may have misunderstood it. Since I have seen it as another use-case which would highlight this app in comparison to others, it is just another convenient feature for using it. I wanted to share this as a thought/idea. Keep up the great work.

J-Jamet commented 3 years ago

It's possible that I misunderstood, that's why I like debates, it allows to question the fundamental questions. Don't hesitate to tell me where I'm going wrong. I understand the idea, it's just that a good reason is necessary to implement it because my time is not extensible. Here there will be no real benefit for the design time of the feature, but like I said it's always interesting to bring new ideas, so thanks for that.

AykutCevik commented 3 years ago

No worries and thank you for consideration. I totally understand that this may not have a high priority considering other open tasks on the roadmap but I'm happy that I was able to share it :)

Bubu commented 3 years ago

I had the same thoughts today about wanting PIN + biometric unlock.

What you ask is normally already the case, because when you unlock a database with the fingerprint, it can only work if the phone is secure (i.e. an unlocking method is active with a password / pin / pattern).

That might be true but at the same time this isn't helping at all if the phone also unlocks with a fingerprint. (Yes, I could disable that and it would be more secure but this will be a worse usability change than disabling biometric unlock for keepassdx).

The problem here is that it's either fingerprint or pin unlock, not both for the phone. And I feel quite uncomfortable with allowing one fingerprint to unlock both my phone and the keepass db on said phone.

whereas it is enough to use the good practice of putting your phone to sleep when you have finished using it.

I hope you don't mean shutting down the phone here? Otherwise my phone only asks me for my pin about once every few weeks. It does require it once after reboot though.

I does sound like there's no goo inbuilt solution to this in Android, which is a shame. I'll think about this some more I guess, but until then I'll need to stick to typing my long password again :(.

rugk commented 3 years ago

If I imagine this scenario, it's being an obvious user security flaw, not a technical flaw. In the best case, you have to create a new profile on your phone if you want to lend it.

Slightly off-topic, but Android does have a feature to pin apps for exactly that use case, i.e. you can allow only one app to be used and then hand the phone off to another (physical) user…

AFAIK, the autofill feature should not work in this case (which is good), because it would spawn a new window.

rugk commented 3 years ago

The threat model I see being more realistic is a sleeping (again physical) user.

Threat model: So I am sleeping and have configured biometric unlock for phone and the DB. As such, anyone can unlock your phone and login to all sites in your DB while you are sleeping if you are a sound sleeper.

Technically it's all the same though and I guess everything has been said. It's really a pitty Android does not allow 2FA login on their lockscreen (AFAIK some CustomROMs used to[?] do that, but well… that does not help for the majority of users/this app here in any case).

J-Jamet commented 3 years ago

The problem here is that it's either fingerprint or pin unlock, not both for the phone. And I feel quite uncomfortable with allowing one fingerprint to unlock both my phone and the keepass db on said phone.

I understand the problem. But allowing two different methods at the same time is not native to the Android API. The only way to do it is to add third party libraries and link them to different parts of the main password to generate hashes to recombine. This would make the program more cumbersome and I prefer to use the system tools for the moment.

I hope you don't mean shutting down the phone here?

I just wanted to say that putting the phone in standby mode allows to activate the phone authentication (the phone PIN / Pattern , in addition to the KeePassDX fingerprint if it's set up that way)

I does sound like there's no goo inbuilt solution to this in Android, which is a shame. I'll think about this some more I guess, but until then I'll need to stick to typing my long password again :(.

Yes sorry, I thought of several solutions but the advanced unlocking is rather complicated to manage. I am open to technical proposals of course.

Slightly off-topic, but Android does have a feature to pin apps for exactly that use case, i.e. you can allow only one app to be used and then hand the phone off to another (physical) user…

Thanks @rugk to highlight this. This will be useful for many people who lend their phone. But I didn't test if the autofill worked in this case.

mosiser commented 7 months ago

I don't feel comfortable either to only use fingerprint to protect all my credentials, so I have to write my long master password every time, and it's annoying...

The problem here is that it's either fingerprint or pin unlock, not both for the phone. And I feel quite uncomfortable with allowing one fingerprint to unlock both my phone and the keepass db on said phone.

I understand the problem. But allowing two different methods at the same time is not native to the Android API. The only way to do it is to add third party libraries and link them to different parts of the main password to generate hashes to recombine. This would make the program more cumbersome and I prefer to use the system tools for the moment.

Without messing up with the main password, maybe it is possible to "pin protect" the app, instead of the database... And, in addition, add an "X times wrong password, I delete the database"... I think would be simpler (many apps has a "pin to unlock" option) than combine 2 authentications to store the main password, and adds a level of protection in case the "stealer" has access to your fingerprint...

Slightly off-topic, but Android does have a feature to pin apps for exactly that use case, i.e. you can allow only one app to be used and then hand the phone off to another (physical) user…

Thanks @rugk to highlight this. This will be useful for many people who lend their phone. But I didn't test if the autofill worked in this case.

Sadly, many phones don't allow this (e.g. Xiaomi with Miui)

rugk commented 7 months ago

maybe it is possible to "pin protect" the app

Don't wanna talk for the maintainer, but it's likely not, in a secure way at least. Apps do not have the low-level, access to the TPM to make that secure (or do they?). I.e. to force an action/lockout if you type it wrong for three times. Only the system lock can do that and apps, as this one, can offload secrets to the system/biometric locking, …

J-Jamet commented 7 months ago

Here, the solution is not to pin the application. That wouldn't change anything, we'd have to store the credentials on the phone somehow.

The solution is to link biometric recognition to a single unlocking factor in the database. This would enable the fingerprint (linked to the password) to be used with a key file, or the fingerprint (linked to the key file) to be used with a password (this could be a PIN).

I plan to add a maximum number of fingerprint attempts

mosiser commented 7 months ago

maybe it is possible to "pin protect" the app

Don't wanna talk for the maintainer, but it's likely not, in a secure way at least. Apps do not have the low-level, access to the TPM to make that secure (or do they?). I.e. to force an action/lockout if you type it wrong for three times. Only the system lock can do that and apps, as this one, can offload secrets to the system/biometric locking, …

I don't mean to lockout from the app, I understand it's hard to do. I mean a simple "until you digit the right pin, you cannot open the app". Many apps do that, without using system credentials, or TPM. It doesn't have to be super-secure, it can be a simple additional layer to not leave the fingerprint as only one accessing barrier. It could be a simple pin saved on a txt file in app protected storage, and a check on start if the inserted pin is the same of the saved one, then continue to main screen (OR delete the database...)

So, digit the pin to open the app, and then use the fingerprint (linked to master password) to unlock the database. If the pin is wrong many times, delete the database.

Here, the solution is not to pin the application. That wouldn't change anything, we'd have to store the credentials on the phone somehow.

I think pin the application could be a simple way to add a minimal (but often enough) layer to the fingerprint only access.

The solution is to link biometric recognition to a single unlocking factor in the database. This would enable the fingerprint (linked to the password) to be used with a key file,

But that doesn't solve the problem, because the key file is already in the phone, so the fingerprint remains the only protection on the local machine

or the fingerprint (linked to the key file) to be used with a password (this could be a PIN).

In this case, you have to modify the master password to be a simple pin, reducing the protection of the database file outside of the app. Problem that occur mainly when the database is synced between different machines...

I plan to add a maximum number of fingerprint attempts

I don't know, this isn't very helpful in the case of the sleeping owner (the fingerprint would be correct at first attempt), but can be problematic when the fingerprint reader doesn't work well at first attempt...

Btw, I'm not complaining, the app is great, I'm just sharing ideas... 😀

J-Jamet commented 7 months ago

I mean a simple "until you digit the right pin, you cannot open the app". Many apps do that, without using system credentials, or TPM. It doesn't have to be super-secure, it can be a simple additional layer to not leave the fingerprint as only one accessing barrier. It could be a simple pin saved on a txt file in app protected storage, and a check on start if the inserted pin is the same of the saved one, then continue to main screen (OR delete the database...)

For me, this is the job of an app launcher. I know that some ROMs also offer this, so for all applications it's possible to set a custom pin. I'm not thinking of adding it directly to KeePassDX, but if there's a strong demand for it, it could be a custom launcher app to create.

I don't know, this isn't very helpful in the case of the sleeping owner (the fingerprint would be correct at first attempt), but can be problematic when the fingerprint reader doesn't work well at first attempt...

The phone should be set by the user to lock after a certain period of time, and offer a global unlocking system that can be parameterized in ways other than only fingerprint.

hchaase commented 2 weeks ago

I would like to second this request.

as I see it, the problem is

  1. long password is to cumbersome for daly use
  2. only fingerprint is very low security
  3. only pin is very low security

the police can legally force your finger to unlock /someone can drug you/ or just use your finger when you are passed out drunk/sleeping. I dont really see biometrics as secure. The solution would be to not use biometrics (e.g.pin) but this can be shadowed / family member may know the pin.

So in isolation, neither option is great.

I don't know, this isn't very helpful in the case of the sleeping owner (the fingerprint would be correct at first attempt), but can be problematic when the fingerprint reader doesn't work well at first attempt...

The phone should be set by the user to lock after a certain period of time, and offer a global unlocking system that can be parameterized in ways other than only fingerprint.

Here I see the scenario: you fall asleep. your pin is shadowed/kid know your pin. They unlocks the phone and use your fingerprint to unlock keepassdx.

I do think, that a second layer is needed. if that is out of the question. a button to disable fingerprint fast would maybe give you a small chance of locking your db (if you are not asleep). (but that is a lot of if and maybe).